—-IPSEC

Neogiation protocol – AH,ESP,ESP + AH  //which IPSEC encyption,authenication,proteection used

encryption – DES, 3DES, AES, RSA, DH   //scramble data

Authenication – MD5, SHA1              //makes sure keys go to person X.

Protection – DH1,2,5,7

—-2 modes of VPN

Transport – Can be used on the internal LAN environment to encrypt traffic.

traffic layer 4 + Over is encrypted. Only the Ip and MAC is not encrypted.

tunnel mode – Used across WAN links, the whole packet is encrypted.

A new ip and MAC is added to the packet, at the receiving end is it stripped of.

and the packet is decrypted for the client.

—Key types.

Symmetric keys are the same on each side //very fast. Also called Shared Secret.

Assametric keys are different on each side //more cpu usage, more secure.

—Diffy Helmin

Each router has a private and a public key (Assemetric)

The public key is exchanged and a shared key generated at each router.

The new shared key is then used for the session, shared keys are better because

they use less cpu utilization than using the same shared key for each packet.

The private key can then be used to decrypt, incoming packets.

The VPN will tear down by a deafult of 4mb or 80000 seconds.

—NAT extendable

If you have the same source IP  twice to different sources,

You must use the extendable syntax to allow multiple references.

ip nat inside source static tcp 10.151.16.48 80 203.113.200.79 80 extendable

ip nat inside source static tcp 10.151.16.48 443 203.113.200.79 443 extendable

—Authentication

Metheods, Username + psw, Biometric, pre-shared keys, One time password.

Authenication, will also tie to a specific ip address.

If the ip address and password are not the same the connection will not happen.

—Certificates

Certificates are used to easy cycle preshared keys on an interval.

Its a way of confirming that a router should trust another router.

This is called PKI (Public key infrastructure)

2 ways to get your certificated. SCEP

manual -> Need to go to server and approve the recieving of cert

pre-shared key -> Auto recieve certificate from CA.

X.509 = Cerficate standard (contains router signature, CA signature, public key)

PKCS#7 = part of the cert that is signed by the CA cert.

PKCS#10 = Request for another certificate

—–VPN concepts.

A VPN is really a tunnel within a tunnel.

AH – Authentication header no encryption

ESP – Encapsulation security payload. Does encryption.

//Defining your “interesting traffic” Which traffic will take the VPN route

Uses an access list.Must be the same on each side of the tunnel.

That way internet does not use the tunnel.

If the receiving packet along a vpn tunnel is not encrypted the packet is dropped.

This may be an ip spoofing attack.

//IKE(Internet key exchange) Phase 1. Exchange Keys securely.

Keys dynamically change.

There is a list of Policies on each router,

Policy1-through-x. It will go down the list and attempt to find a policy that has settings

that can be used on both sides, like DH, AES, DES

//IKE Phase 2. Encrypt.using key recieved.

Generates the symetric keys, called the transform set.

//Data Transfer

//VPN teardown. after timeout it closes.

after set amount of time/data.

break vpn regenerate new assymetric

—VPN configuration. Site-to-Site VPN

//debug a tunnel forming, check the attributes are acceptable.

debug crypto isakmp

debug cryto ipsec

//Check tunnel status.IDLE means its up

show crypto isakmp sa //IKE phase 1 tunnel. Until traffic is sent no tunnel

show crypto ipsec sa //IKE phase 2 tunnel. Until traffic is sent no tunnel

show isakmp policy <number>

show run | Section crypto

show crypto map // see phase 2 information

Leave a Reply